b'NATIONAL ENDOWMENT FOR THE ARTS\nOFFICE OF INSPECTOR GENERAL\n\n\n\n\n                     EVALUATION REPORT\n  Fiscal Year 2005 Evaluation of NEA\xe2\x80\x99s Compliance with the\n    Federal Information Security Management Act of 2002\n\n                              REPORT NO. R-06-01\n                               OCTOBER 4, 2005\n\nThe Federal Information Security Management Act of 2002 requires an annual evaluation\nby the Inspector General on its agency\xe2\x80\x99s security programs and practices. This report is\nan evaluation of NEA\xe2\x80\x99s security program and practices for protecting its information\ntechnology (IT) infrastructure.\n\n\n                                BACKGROUND\nThe Federal Information Security Management Act (FISMA) of 2002 was signed into\nlaw on November 27, 2002. It replaces the Government Information Security Reform\nAct (GISRA), which expired in November 2002. The Act requires each federal agency to\ndevelop, document, and implement an agency-wide information security program to\nprovide information security over the operations and assets of the agency. This includes:\n\n   \xe2\x80\xa2   Periodic risk assessments;\n   \xe2\x80\xa2   Policies and procedures that are based on risk assessments;\n   \xe2\x80\xa2   Subordinate plans for providing adequate information security for networks,\n       facilities, information systems, or groups of information systems, as appropriate;\n   \xe2\x80\xa2   Security awareness training to inform employees (including contractors) of the\n       security risks associated with their activities and their responsibilities to comply\n       with those agency policies and procedures designed to reduce those risks;\n   \xe2\x80\xa2   Periodic testing and evaluation of the effectiveness of information security\n       policies;\n   \xe2\x80\xa2   A process for planning, implementing, evaluating, and documenting remedial\n       action to address any deficiencies in the information security policies, procedures,\n       and practices, of the agency;\n   \xe2\x80\xa2   Procedures for detecting, reporting, and responding to security incidents; and\n\n\n\n                                            1\n\x0c   \xe2\x80\xa2   Plans and procedures to ensure continuity of operations of the agency\xe2\x80\x99s\n       information systems.\n\n\nOMB Memorandum M-05-15, dated June 13, 2005, entitled \xe2\x80\x9cFY 2005 Reporting\nInstructions for the Federal Information Security Management and Agency Privacy\nManagement,\xe2\x80\x9d updates instructions to Senior Agency Officials for Privacy, Chief\nInformation Officers and Inspectors General for reporting their 2005 information to\nOMB.\n\nThe National Institute of Standards and Technology (NIST), which has the responsibility\nfor developing technical standards and related guidance, has issued numerous\npublications including An Introduction to Computer Security: The NIST Handbook. This\npublication explains important concepts, cost considerations, and interrelationships of\nsecurity controls as well as the benefits of such controls. NIST also has published a\nGuide for Developing Security Plans for Information Technology Systems. In addition,\nguidance is found in the Government Accountability Office publication, Federal\nInformation System Controls Audit Manual (FISCAM). NIST has recently issued\nSpecial Publication 800-37, Guide for the Security Certification and Accreditation of\nFederal Information Systems; Special Publication 800-53, Recommended Security\nControls for Federal Information Systems; and FIPS PUB 199, Standards for Security\nCategorization of Federal Information and Information Systems.\n\nNEA\xe2\x80\x99s Office of Information and Technology Management (ITM) maintains and\noperates two of three core systems on a local area network (LAN). These are the Grants\nManagement System (GMS), which contains information on grant applications and the\nAutomated Panel Bank System (APBS), which contains information on panelists who\nreview grant applications. NEA has contracted the Department of Transportation\nEnterprise Service Center to host NEA\xe2\x80\x99s Financial Management System (FMS) through\nits Delphi Financial Management System. In addition, NEA operates support systems\nincluding electronic mail and internet and intranet services.\n\nThe Chief Information Officer (CIO) is responsible for developing policies and\nprocedures to ensure that security is provided over NEA\xe2\x80\x99s computer and data networks.\n\n\n                         OBJECTIVE AND SCOPE\nThe objective of the evaluation was to determine the adequacy of NEA\xe2\x80\x99s information\ntechnology (IT) security program and practices. This included a review of NEA\xe2\x80\x99s IT\nsecurity policies and procedures, interviews with responsible agency officials managing\nthe IT systems, and tests on the effectiveness of security controls.\n\n\n\n\n                                            2\n\x0c                            PRIOR EVALUATION\nThe NEA Office of Inspector General issued a report entitled \xe2\x80\x9cFiscal Year 2004\nEvaluation of NEA\xe2\x80\x99s Compliance with the Federal Information Security Act of 2002\xe2\x80\x9d\n(Report No. R-05-01) on October 5, 2004. The report recommended that NEA ITM\n(1) develop written policies and procedures related to change management and control for\nthe development and modification of systems, and (2) establish a training plan that\nincludes periodic refresher IT security awareness training to all NEA employees.\n\nOf the two recommendations in the prior evaluation, NEA has implemented the\nrecommendation related to change management. NEA has also established a training\nplan that includes periodic refresher IT security awareness training to all NEA\nemployees, but had not provided any such training to NEA employees as of the time of\nour evaluation in September 2005.\n\n\n                          EVALUATION RESULTS\nOur current evaluation determined that there are several issues that need to be addressed\nby NEA\xe2\x80\x99s Information and Technology Management Division. These include issues\nrelated to security certification and accreditation, the replacement of Windows 2002\nservers, and the implementation of periodic security training for all NEA employees.\nDetails are presented in the following narrative.\n\n\nRisk Assessment\nSeNet International Corporation was contracted to perform a risk assessment, the results\nof which were issued on August 26, 2005. (See Appendix 1.) The review concluded,\n\xe2\x80\x9cThe implementation and management of the security architecture supporting the\nNational Endowment for the Arts enterprise network appears to require strengthening in\norder to more effectively restrict unauthorized internal access to information resources.\xe2\x80\x9d\n\nThe review cited the following weaknesses at the time of their review:\n\n     \xe2\x80\xa2   Systems were discovered that did not have the latest security patches,\n     \xe2\x80\xa2   Systems were discovered running unnecessary or potentially vulnerable services,\n     \xe2\x80\xa2   Weak passwords were identified, and\n     \xe2\x80\xa2   Open shares were discovered where potentially sensitive information could be\n         discovered.\n\nNEA ITM has addressed these weaknesses in \xe2\x80\x9cThe Security Audit Action Plan,\xe2\x80\x9d which is\nincluded as Appendix 2. The only vulnerability remaining for corrective action relates to\nsystems that were discovered running unnecessary or potentially vulnerable services.\nThe solution is to replace the Windows 2000 systems with Windows 2003 Servers.\n\n\n                                             3\n\x0cAccording to NEA ITM officials, the new servers will be installed by\nDecember 31, 2005.\n\n\nNIST Self-Assessment\nITM used the National Institute of Standards and Technology (NIST) self-assessment\nguide (Special Publication 800-26, \xe2\x80\x9cSecurity Self-Assessment Guide for Information\nTechnology Systems\xe2\x80\x9d) to review NEA\xe2\x80\x99s systems in September 2005. The prior year\xe2\x80\x99s\nassessment noted that ITM must develop a written change management control policy\nand procedures for the development and modification of its systems. Such policy and\nprocedures are important because any system changes can have security implications that\nmay introduce or remove vulnerabilities. Such a policy and procedures were developed\nand implemented in December 2004.\n\n\nSecurity Plan\nNEA issued its security plan for each of its in-house GMS and APBS systems that\naddress FISMA and OMB requirements in September 2004. The development of\nsecurity plans are an important activity in an agency\xe2\x80\x99s information security system that\ndirectly supports the security accreditation process required under FISMA and OMB\nCircular A-130. Security plans should ensure that adequate security is provided for all\nagency information collected, processed, stored, or disseminated in NEA\xe2\x80\x99s general\nsupport systems and major applications.\n\n        Security Certification and Accreditation. NEA hosts both the Grants\nManagement System (GMS), which contains information on grant applications and the\nAutomated Panel Bank System (APBS), which contains information on panelists who\nreview grant applications. NEA has contracted the Department of Transportation\nEnterprise Service Center to host NEA\xe2\x80\x99s Financial Management System (FMS) through\nits Delphi Financial Management System. The two NEA-hosted systems were certified\nand accredited on September 26, 2004.\n\nThe 2005 SeNet Report noted that three major systems were identified and granted the\nAuthority to Operate in November 2004. In their review of the Certification and\nAccreditation (C & A) documentation, they stated \xe2\x80\x9cit appears that the process that was\nused to perform the C & A does not meet established best practices or federal guidelines.\nFor example, the LAN is not even considered and a GSS (General Support System) was\nnot identified.\xe2\x80\x9d The SeNet report recommended that NEA create four separate C & A\npackages.\n\n\n\n\n                                            4\n\x0cDisaster Recovery Plan\nNEA has documented its disaster recovery plan (July 2002). The recovery plan provides\nthat:\n\n   \xe2\x80\xa2   NEA will maintain an alternate e-mail address resident on a server outside of the\n       NEA facilities to support emergency communications.\n\n   \xe2\x80\xa2   An Emergency Recovery Server will be maintained within the building, but in a\n       physical location distant from ITM to facilitate Level One and Level Two\n       recoveries. It shall contain current software, updated nightly, that duplicates that\n       which is in use by NEA.\n\n   \xe2\x80\xa2   Standby network equipment will be maintained in a location outside of ITM to\n       restore operations.\n\n   \xe2\x80\xa2   At the end of every business day, two backup copies of all systems data will be\n       taken. One will be stored outside of the building and one will be stored within the\n       building, but outside of the Computer Center.\n\n\nSecurity Training\nITM had previously documented a security-training plan (August 2002) for ITM staff and\ncontractors. The purpose of the plan was to ensure that NEA employees with significant\nsecurity responsibilities (1) have the most current computer security information and\n(2) have an adequate understanding of computer/IT security laws and requirements.\n\nNIST Special Publication 800-50, Building an Information Technology Security\nAwareness and Training Program and NIST Special Publication 800-16, Information\nTechnology Security Training Requirements: A Role- and Performance-Based Model,\nprovide the standards for security awareness and training. It is noted that although new\nNEA employees are given general security awareness training as part of their orientation,\nNEA does not provide refresher IT security training to its employees on a regular basis.\nITM does send out periodic IT security awareness flyers and e-mails to its employees, but\nNIST Pub 800-16 states that \xe2\x80\x9cawareness is not training.\xe2\x80\x9d We recommended in our 2004\nevaluation that ITM establish a training plan that includes periodic refresher IT security\nawareness training to all of NEA\xe2\x80\x99s employees.\n\nNEA ITM established a training policy in November 2004 that included a security\neducation plan. One of the subject areas of that plan was refresher training, which was\ndefined as \xe2\x80\x9cprograms and products designed to provide continuing education to the\nAgency community on relevant security topics. Such programs include annual briefings\nthrough the Government Online Learning Center.\xe2\x80\x9d As of September 29, 2005, no such\nrefresher training has been offered to NEA employees. We recommend that NEA ITM\nimplement security awareness training to all NEA employees as soon as possible.\n\n                                             5\n\x0cSecurity Incidents\nNEA has formalized a \xe2\x80\x9cComputer Security Incident Policy\xe2\x80\x9d (Revised November 2003),\nwhich (1) identifies the type of activity characterized as a computer security incident, and\n(2) defines the steps to be taken to report a computer security incident. The policy\napplies to all permanent and temporary employees, including contractors who utilize\nNEA\xe2\x80\x99s computer equipment and systems.\n\nSecurity incidents have generally become more frequent whether they are caused by\nviruses, hackers, or software bugs. Appendix III to OMB Circular A-130 states:\n\n       When faced with a security incident, an agency should be able to respond in a manner\n       that both protects its own information and helps to protect the information of others who\n       might be affected by the incident. To address this concern, agencies should establish\n       formal incident response mechanisms. Awareness and training for individuals with\n       access to the system should include how to use the system\xe2\x80\x99s incident response capability.\n\nAll NEA computer security incidents are handled by ITM\xe2\x80\x99s Computer Security Incident\nTeam (CSIT), which consists of two employees from ITM\xe2\x80\x99s Customer Services Division\nand two employees from ITM\xe2\x80\x99s Plans, Policy and Programs Division. One employee,\nwho is designated as the CSIT coordinator, serves as the team\xe2\x80\x99s central resource for\nmonitoring computer security incidents.\n\nNEA\xe2\x80\x99s policy states, \xe2\x80\x9cAny employee or contractor who has knowledge of a computer\nsecurity incident should report the incident to the CSIT Coordinator via e-mail (or phone\nif e-mail is not available).\xe2\x80\x9d\n\nOur 2003 evaluation recommended that NEA revise its computer incident security policy\nto reflect FedCIRC timeframe requirements for security incident reporting. A revised\ncomputer incident policy was issued in November 2003 and established timeframes for\nreporting security incidents to FedCirc.\n\nDespite numerous attempts to intrude NEA systems during the past year, there were no\nsuccessful incidents referred by employees to NEA ITM officials within the context of\nNEA\xe2\x80\x99s Computer Security Incident Policy.\n\n\nAccess Controls\nITM developed and implemented an \xe2\x80\x9cAccess Control Policy\xe2\x80\x9d in December 2001 that\nestablished procedures for removing terminating employees\xe2\x80\x99 user IDs and passwords for\nthe LAN, e-mail and mission critical systems. ITM also developed and implemented\nprocedures applicable to employees terminating their NEA employment that specifically\nnote the steps required to clear applicable user IDs and passwords.\n\nNIST recommends periodic reviews of user account information for managing user\naccess. NEA does have controls in place that requires LAN users to change their\n\n                                                   6\n\x0cpasswords every 60 days and ensures that intruders (those who make numerous attempts\nto access the LAN) are locked out of the system after four attempts to log in with an\ninvalid password.\n\nOur 2002 evaluation noted that ITM was not always notified when school interns leave\nNEA. These are students who work during the summer or break periods, but are not paid\nby NEA. Since NEA does not pay the interns, there was no means to ensure that exit\nclearance procedures were followed (such as withholding their final pay). In addition,\nthe supervisors of these interns were not always informing ITM of their departure\nbecause there was no requirement for such. Thus, these interns could potentially\ncontinue to access and use the e-mail system from an alternate location for unauthorized\npurposes. As a result, NEA instituted new sign-out procedures for interns, temporary\ncontractors and volunteers. However, our 2003 evaluation found that ITM was still not\nbeing informed timely about such individuals. Although ITM has requested departure\ndates from the Human Resources Division for these temporary employees, the dates were\nnot always provided. We recommended that ITM not initiate computer or e-mail access\nunless a departure date is provided.\n\nAs a result, the \xe2\x80\x9cAccess Control Policy\xe2\x80\x9d was revised in November 2003 to include that\n\xe2\x80\x9cbefore computer access can be granted to temporary employees/contractors, the Human\nResources Division must inform ITM of the anticipated end dates for these individuals\xe2\x80\x99\nassignments in order to ensure that their access rights are removed at the appropriate\ntime.\xe2\x80\x9d The SeNet report noted that weak passwords were identified and NEA ITM\nimmediately implemented a stronger password policy.\n\n\nPhysical Controls\nNEA appears to have adequate physical controls to protect its IT inventories and supplies.\nThe facilities are protected by fire alarms and sprinkler systems. Access to NEA\xe2\x80\x99s space\nin the building is controlled by guards who require proper identification for entry.\nDuring nonworking hours, sign-in and sign-out procedures are in effect. The computer\ndata room has cipher locks to restricted areas and this entire area is secured and locked\nfrom 7:30 PM to 6:30 AM on weekdays and throughout the weekend.\n\nIf NEA contracts for IT services that requires access to its computer data room, the access\ncode (via a cipher lock) that is used by the contractor is different from the code used by\nNEA ITM employees. In addition, the contractor\xe2\x80\x99s access code is changed whenever one\nof the contractor\xe2\x80\x99s operators is terminated.\n\n\n\nInventory Controls\nNEA has conducted a physical inventory of its hardware and has updated its inventory\nlisting (dated September 12, 2005). The inventory lists the item by office, barcode\nnumber, serial number, manufacturer, model number and description, as well as the user.\n\n                                            7\n\x0cThe inventory is maintained on a perpetual basis and is updated as equipment is added or\ndeleted.\n\n\nContractor Security\nNEA appears to have imposed adequate security measures on its contractors. All short-\nterm (data entry) contractors have limited computer access. That is, they do not get a full\nmenu upon login and are limited on what they can input into the system, which is\nrestricted by their user name and password. For example, they cannot access or input\ndata into any systems management function. They also do not have internet or intranet\naccess. Since the contracts are short-term, users are deleted from the system upon\ncontract termination.\n\nComputer access for a contractor involved with NEA systems and the help desk generally\nis unrestricted. However, the CIO and ITM carefully screen these contractors and require\nbackground checks.\n\n\nFinancial Management System\nNEA has an agreement with the U.S. Department of Transportation (DOT) to utilize the\nEnterprise Service Center\xe2\x80\x99s Oracle Federal Financials System, Delphi, as their financial\nmanagement system. As part of our evaluation, we reviewed the DOT Office of\nInspector General (OIG) \xe2\x80\x9cQuality Control Review of the Report on Controls over the\nDelphi Financial Management System, DOT\xe2\x80\x9d (Report No. QC-2005-075 dated\nSeptember 2, 2005). The audit itself was performed by performed by Clifton\nGunderseron, LLP, an independent auditor. The DOT OIG performed a quality control\nreview of Gunderson\xe2\x80\x99s work to ensure that it complied with Generally Accepted\nGovernment Auditing Standards and the American Institute of Certified Public\nAccountants Statement on Auditing Standards (SAS) 70. In the opinion of the DOT OIG,\nthe audit work complied with applicable standards.\n\nThe independent auditor\xe2\x80\x99s report made 12 recommendations to improve controls and\nsubmitted the recommendations to DOT management. The DOT Deputy Chief Financial\nOfficer concurred with the recommendations and committed to implementing corrective\nactions in a response dated August 25, 2005.\n\n\n                             EXIT CONFERENCE\nAn exit conference was held with NEA\xe2\x80\x99s CIO on October 4, 2005. The CIO generally\nconcurred with our recommendations and has agreed to initiate corrective actions.\n\n\n\n\n                                             8\n\x0c                          RECOMMENDATIONS\n\nWe recommend that the NEA Office of Information and Technology Management:\n\n\n   1. Review the certification and accreditation process for deficiencies identified in the\n      SeNet Vulnerability Analysis Report and take appropriate corrective actions.\n\n   2. Ensure that the Windows 2003 servers are installed in a timely manner.\n\n   3. Implement security awareness training for all NEA employees.\n\n\n\n\n                                            9\n\x0c                                               APPENDIX 1\n                                                 Page 1 of 3\n\n\n\n\n        Vulnerability Assessment\n\n\n\n\n            August 26, 2005\n\n\n\n                Prepared by:\n\n\n\n            SeNet International Corporation\n            e-Security\xe2\x80\x94we make it practical.\n\n\n\n\nNote: The Office of Inspector General has\nincluded only the \xe2\x80\x9cExecutive Summary\xe2\x80\x9d of this\nreport for this Appendix.\n\n\n\n\n                       10\n\x0c                                                                           APPENDIX 1\n                                                                              Page 2 of 3\n\n\n                             1. Executive Summary\n\nThe implementation and management of the security architecture supporting the National\nEndowment for the Arts (NEA) enterprise network appears to require strengthening in\norder to more effectively restrict unauthorized internal access to information resources.\nThrough the performance of the network security assessment, SeNet discovered that NEA\nhas implemented some effective controls for protecting information resources. However,\nseveral areas were identified where NEA can improve upon its security architecture to\nfurther enhance its overall security posture. Implementing strong computer security is\nextremely important for organizations of all sizes.\n\nSeNet last performed a vulnerability assessment for NEA in 2002. Since that time NEA\nhas made some marked improvements in its protection of information resources,\nespecially in the areas of documentation and external perimeter security. When SeNet\nlast performed the review, documentation was severely lacking. Currently NEA has\ncompiled documentation covering the primary security topics. While this is a step in the\nright direction there is still more work to do in this area. For example, the C&A package\nthat was reviewed does not follow all of the standards and format that NIST recommends.\nLikewise, when SeNet last performed vulnerability testing from an external perspective\nsome serious findings were noted. During this round of external testing no critical\nfindings were noted.\n\nWhen SeNet began the internal testing some serious findings were discovered. Through\na combination of vulnerabilities the SeNet team was able to compromise several systems\nand even gain control of the firewall. The majority of these vulnerabilities were related\nto un-patched systems, unnecessary services, and weak passwords. The vulnerabilities\nSeNet did find and exploit can all be fixed with minimal financial outlay, but do require\ntime and trained personnel.\n\nThe areas of concern noted during the network security assessment contain several\nhigh-risk vulnerabilities as well as several medium to low risk vulnerabilities. The\nmore serious vulnerabilities are discussed below; all other vulnerabilities appear in\nthe \xe2\x80\x9cDetailed Findings and Recommendations\xe2\x80\x9d section and in Appendix A of this\nreport:\n\nVulnerabilities\n\n   \xe2\x80\xa2   Systems were discovered that did not have the latest security patches\n   \xe2\x80\xa2   Systems were discovered running unnecessary or potentially vulnerable services\n   \xe2\x80\xa2   Weak passwords were identified\n   \xe2\x80\xa2   Open shares were discovered where potentially sensitive information could be\n       discovered\n\n\n\n\n                                           11\n\x0c                                                                              APPENDIX 1\n                                                                                Page 3 of 3\n\n\nIt is suggested that NEA follows these recommendations:\n\n   \xe2\x80\xa2   Apply the latest security patches\n   \xe2\x80\xa2   Review all services that are enabled and disable those that are not needed\n   \xe2\x80\xa2   Enforce the use of strong passwords on all accounts\n   \xe2\x80\xa2   Review all shares and require authentication\n\nFor a complete listing of all recommendations please see Appendix A. Also see the\ndiscussion in Section 3 of this report.\n\nNEA management should be aware that due to the potential risk associated with\nconnectivity to the Internet, and the regularity in which new vulnerabilities are identified\nwith information technology, results of test procedures performed may not have revealed\nall potential vulnerabilities.\n\n\n\n\n                                             12\n\x0c                                                                          APPENDIX 2\n\n\n\n                      The Security Audit Action Plan\nSome of the vulnerabilities SeNet found were corrected with minimal financial outlay.\n\n\n                                   Vulnerabilities\nVulnerability: Systems were discovered that did not have the latest patches.\n\n       Completed Solution: The latest service patches were applied, and it is resolved\n                           that once a month the latest patches will be applied to\n                           each networked system.\n\n\nVulnerability: Systems were discovered running unnecessary or potentially vulnerable\nservices.\n\n       Solution:               The systems discovered were Windows 2000 systems that\n                               will be replaced with Windows 2003 Servers. This\n                               replacement will eliminate the potentially vulnerable\n                               services.\n\n\nVulnerability:        Weak passwords were identified.\n\n      Completed Solution:      Enforced the use of strong passwords on all accounts thru\n                               Directory Services and the password policy.\n\n\nVulnerability: Open shares were discovered where potentially sensitive information\ncould be discovered.\n\n       Completed Solution: This open share happens to be the Unix Xerox machine\n                           connected to our network. Disconnecting the copier\n                           eliminated this problem.\n\n\n\n\nNote: The above Security Audit Action Plan was prepared by NEA ITM.\n\n\n\n\n                                          13\n\x0c'